Working with management groups and the Tachyon PowerShell Toolkit
How to work with management groups using the Tachyon PowerShell Toolkit.
About Management Groups
Management groups provide a powerful mechanism for cleanly partitioning and classifying devices within an estate. Management groups are associated with one or more rules (not to be confused with Tachyon's Guaranteed State rules) which define the criteria for group membership. For example, you could define a management group whose membership rule was that all devices whose fqdn contained a particular string would be members of the group.
Note
Tachyon version 8 has introduced changes to the way management groups work. Although in most cases the broad concepts are similar, there are some important differences. Please refer to Management group changes in Tachyon v8 for a summary of changes.
Management groups and the SLA subsystem
Tachyon relies on the SLA subsystem for management group functionality. While versions prior to release 8 of Tachyon could be configured to be independent of SLA, this functionality is now deprecated. However, Tachyon keeps information on management groups internally and requires synchronisation with the SLA subsystem in order to reconcile the SLA management groups with its internal set of groups.
Internally, Tachyon associates a simple set of device FQDNs with a management group. The SLA subsystem is responsible for dynamically evaluating the rules associated with its management groups and then updating this device list on the Tachyon side. Devices which are matched by the rules are included in the list and devices which fail to match are excluded.
Note
Tachyon v8 introduced Direct-based management groups. These allows management groups to defined by one or more FQDNs which make up the group membership, rather than a set of dynamic matching rules. This facilitates the synchronisation of large device collections from external sources such as Microsoft Endpoint Configuration Manager.For more information about them, please refer to Direct-based management groups.
The PowerShell Toolkit has a set of cmdlets to create and update SLA management groups and to manage the synchronisation of SLA management groups with Tachyon. For more information, please refer to Instruction management cmdlets.
Getting started with management groups
After installation, Tachyon does not contain any pre-defined management groups.
For versions from Tachyon v8 onwards, you can follow the simple test scenario documented in the section below 'Understanding SLA Management Groups - a simple test scenario' to create and verify groups using the Tachyon PowerShell Integration Toolkit cmdlets.
Note
If you have issues running the connector sync during the above process, and these indicate licensing issues with the 1E-Inventory-* instructions, ensure that your Tachyon license has a valid entry under the TachyonExplorer section which associates the 1E-Inventory prefix with a valid signer hash. If you are unsure of the correct value for this, you can use the export-instruction cmdlet to retrieve one of the inventory instructions, open it in TIMS and inspect its code signing certificate. The thumbprint value of that certificate is the hash required in the license entry. In the example below, the 1E-Inventory prefix is included in the TachyonExplorer feature along with the inventory consumer and specifies a certificate thumbprint beginning E9AD.... which corresponds to the certificate used to sign the 1E-Inventory instructions distributed with this version of Tachyon.
Note that these thumbprint values may change across releases if new certificates are used, so you should check their validity in the event of problems, by loading the instruction into TIMS and cross-referencing with the actual signing certificate thumbprint, as discussed above.
<Feature name="TachyonExplorer"> <Consumer name="Platform" enable="on"> </Consumer> <Consumer name="Explorer" enable="on"> </Consumer> <Consumer name="Syslog" enable="on"> </Consumer> <Consumer name="Experience" enable="on"> </Consumer> <Consumer name="PatchSuccess" enable="on"> </Consumer> <Consumer name="GuaranteedState" enable="on"> </Consumer> <Consumer name="Inventory" enable="on"> </Consumer> <Instructions signersha="F08386A5318A8187D79B0A58253C65CB4E442570" pattern="1E-Explorer-*"> </Instructions> <Instructions signersha="323048C57C2A82DF852E1BC9AAA2DC2793E3D2B1" pattern="1E-Exchange-*"> </Instructions> <Instructions signersha="E9AD8EA04811AF7D0CF827AC015183481D78358D" pattern="1E-Explorer-*"> </Instructions> <Instructions signersha="A2837DBA33FBF3C29B7E72156729D1339A636344" pattern="1E-Exchange-*"> </Instructions> <Instructions signersha="E9AD8EA04811AF7D0CF827AC015183481D78358D" pattern="1E-Inventory-*"> </Instructions> </Feature>
Creating a management group from the Settings UI
You create a management group from the Tachyon Settings application, by selecting Permissions/Management Groups.
For example, you can create a group which is associated with all processors having 2 cores.
Note
It appears to be necessary to check the 'evaluate rules immediately' option when saving the group for it to become visible via the Tachyon API and thus useable by the PowerShell Integration Toolkit
Verifying a management group
You can use the 'get-Tachyonrespondingdevice' cmdlet to determine which devices would be associated with a management group at any point in time. To do this, first use the 'get-Tachyonmanagementgroup' cmdlet to list management groups and determine the 'usableid' property of the group you wish to interrogate.
For example:
If we wanted to determine which devices are associated with a management group we can then interrogate group membership like this.
Note that the UsableId property of the group above is 6, so we specify that in the target scope expression
Management groups and SLA
Tachyon can synchronise its internal management groups with SLA management groups. SLA management groups define device membership by a set of rules which specify device attributes such as full or partial OU path etc.
When Tachyon synchronises with SLA, it retains a list of the devices that matched the SLA management group rules, that were also in the associated SLA repository at the time of synchronisation. From this point, Tachyon uses that device list as the group membership until such time as the group is re-synchronised from SLA.
SLA management groups are created and managed using the Tachyon settings application. You can also create SLA management groups using the PowerShell Integration Toolkit.
You can view SLA management groups using the get-tachyonmanagementgroup cmdlet and specifying the optional -Source argument as SLA
When you do this, management group information is retrieved via the SLA API rather than directly from Tachyon itself.
You can also view SLA management groups using the get-tachyonslamanagementgroup cmdlet, which returns only SLA management groups. This cmdlet has the additional option of returning the rules associated with an SLA management group
Note that SLA management group properties are in some cases different from Tachyon management group properties, as you can see from the example below.
Starting with version 8 of Tachyon, there are additional cmdlets to manage SLA management groups. These are discussed in the cmdlet reference page Instruction management cmdlets.
Collecting inventory via SLA
In order to test management group functionality, we need to perform an inventory collection sync, as follows.
Create a Tachyon connector
On the connectors screen create a new connector called Tachyon. Associate it with the Inventory repository and point it at the appropriate consumer URL on your Tachyon server. In this example the Tachyon server is tachyonv8.urth.local
Ensure that the account that the connector runs under is an account granted the Global Administrator role - in this test lab, this corresponds to the CISO account - and enter the account password.
Save the connector.
Select the connector and press Execute.
Enter the details into the following screen as shown below.
Press Execute. You can view the progress of the sync from Monitoring/Process Log in the UI.
Once the sync is complete, we can experiment with management groups.
Verify devices have been captured
If you use a target scope of 'urth' which is a shortcut for 'fqdn like %urth%' as a Tachyon scope expression, you should find both devices returned
Create a test management group
Now let's create an SLA management group that filters this device set.
We will use a rule which matches device Fqdns that are like "%dev%". This will only return one of the two devices.
Note
The square brackets around the entity names are not required unless any part of the name has embedded spaces. You could for example, just say "ReportDevice.Fqdn like %dev".
Note
Please refer to SLA management groups and rule expressions for a discussion of SLA management group rule expressions and the entities that you can use with them. Note that SLA entity names will be different from Tachyon entity names. The attribute part of the names (in this example Fqdn) are also case-sensitive.
Synchronise the group with Tachyon
In order for Tachyon to use the group we just created, we need to synchronise Tachyon with SLA.
Note
Although we are only dealing with a single management group here, when you synchronise a particular group, you will also cause any other newly-created groups to be synchronised with Tachyon and any deleted groups will be removed.
However, only the specified group is updated, so any other groups in SLA which have been changed don't get re-synchronised unless you specify them individually in calls to Sync-TachyonSLAManagementGroup
Also. newly-created groups in Tachyon must be specifically synchronised (by specifying their Id in the Sync-TachyonSLAManagementGroup cmdlet) in order for the actual device membership associated with the group to be updated. Until this is done, the group in Tachyon will appear to contain no devices.
To obtain the repository Id value, we can query for all SLA repositories, and locate the Default Inventory repository. It is the Id of this repository which we then provide to the sync-TachyonSLAManagementGroup cmdlet.
Now verify that Tachyon has the new management group.
Note
The management group in Tachyon may end up with a different Id. Its UsableId value is what we will use when querying in Tachyon.
If you delete a management group in SLA, it remains visible in Tachyon until you perform a sync operation for another existing SLA management group. At this point, the group is also deleted from Tachyon.
Determine the devices which fall into the scope of the management group.
Note
If you don't get any devices, try executing a sync again from the Tachyon Platform UI but select 'generate report - basic inventory consolidation' instead of 'Sync Data - Tachyon'. Then try running the sync-tachyonslamangementgroup cmdlet again and re-check
You can now experiment by modifying the existing group or creating a new one. For example, suppose we change the existing group in SLA.
We re-synchronise
Wait about a minute for the sync to complete. Now when we re-evaluate the rule, we see that the filtered devices have changed accordingly.
Direct-based management groups
Using the PowerShell Toolkit to create and update Direct-based management groups.
These management groups are distinct from Rule-based management groups, which are discussed on the parent page to this.
Direct-based management groups allow you to specify a list of specific device FQDNs which are to belong to a management group.
Creating or updating a Direct-based management group
Direct-based management groups are managed a little differently than Rule-based groups. This reflects that the underlying APIs to manage them are also different.
You create or update a Direct-based management group using the Set-TachyonSLADirectManagementGroup cmdlet. You specify the name of the group and optionally its description. You also pass in an array of one or more FQDNs which correspond to the devices which are to be members of the group.
Note
Unlike Rule-based management groups, calling this cmdlet will immediately cause a synchronization operation to occur between SLA and Tachyon, updating or adding any management groups to Tachyon during this process. Note that the synchronization process will add any other management groups that were created, including Rule-based groups, and it will delete any groups that have been deleted from SLA.
After the synchronization process is complete, you can then use the management group in a Tachyon scope expression just like a Rule-based group.
If the synchronization process added new groups to Tachyon, you must explicitly synchronize these with the Sync-TachyonSLAManagementGroup cmdlet to cause their device membership to be updated. Until this is done, these new groups will appear to be empty.
You can retrieve the group membership of a Direct-based management group using the Get-TachyonSLAManagementGroupDevice cmdlet